This might well be an obvious question and I’m quite sure I possibly know the answer but for completeness a 2nd opinion would be much appreciated.
I have an app and enable both GET and POST in my bubble api
I then protect and api workflows with an api token (I don’t have any in this application but I’ve enabled it anyway to demonstrate the point)
Am I correct in thinking that then eveything and all things (unless i restrict restrict these based on privacy roles) will be subsequently available to anyone
https://token-api-test-bboy.bubbleapps.io/version-test/api/1.1/obj/athingy